Malware analysis Chew7.exe Malicious activity | ANY.RUN

Add for printing

File name:	Chew7.exe
Full analysis:	https://app.any.run/tasks/633c7f35-22ac-4433-8808-62049be1fa75
Verdict:	Malicious activity
Analysis date:	January 23, 2019, 05:53:25
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	7B232997942B2A5C7E4DBE931BB4C67C
SHA1:	06C6D3B5B66585F03BAB25C774BAADB575CB1515
SHA256:	0A88FAA27484C7C163BC90FBF806A9DAB84226C2F60F3410695278EE76D065F5
SSDEEP:	98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - hale.exe (PID: 2580)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Chew7.exe (PID: 3760)
  - hale.exe (PID: 2580)
- Creates files in the Windows directory
  - Chew7.exe (PID: 3760)
- Uses TASKKILL.EXE to kill process
  - Chew7.exe (PID: 3760)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2852)
  - cmd.exe (PID: 3692)
  - cmd.exe (PID: 3888)
  - cmd.exe (PID: 3480)
  - cmd.exe (PID: 2708)
- Starts CMD.EXE for commands execution
  - hale.exe (PID: 2580)
  - cmd.exe (PID: 3692)
- Application launched itself
  - cmd.exe (PID: 3692)
- Uses TASKLIST.EXE to query information about running processes
  - cmd.exe (PID: 3692)
- Uses ICACLS.EXE to modify access control list
  - cmd.exe (PID: 3692)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (43.2)
.exe	\|	Win64 Executable (generic) (16.2)
.exe	\|	UPX compressed Win32 Executable (15.9)
.exe	\|	Win32 EXE Yoda's Crypter (15.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:08:01 23:59:57+02:00
PEType:	PE32
LinkerVersion:	8
CodeSize:	4696576
InitializedDataSize:	108032
UninitializedDataSize:	-
EntryPoint:	0x47c7fe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.6.8.4
ProductVersionNumber:	1.1.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:	The Science of Activation
FileVersion:	0.6.8.4
InternalName:	Chew7.exe
LegalCopyright:	© Chew7. All rights reserved.
OriginalFileName:	Chew7.exe
ProductName:	Chew7 v1.1
ProductVersion:	1.1.0.0
AssemblyVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

760

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v LastAttempt /t REG_SZ /d install /f

C:\Windows\system32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

760

C:\Windows\system32\cmd.exe /c TIME /T

C:\Windows\system32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\imm32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll

1488

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled

C:\Windows\system32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2396

REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName

C:\Windows\system32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2492

C:\Windows\system32\cmd.exe /S /D /c" ECHO.x86"

C:\Windows\system32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2536

TASKLIST /FI "IMAGENAME eq Chew7.exe"

C:\Windows\system32\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Lists the current running tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\tasklist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2560

FIND "64"

C:\Windows\system32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2580

"C:\Windows\system32\hale.exe"

C:\Windows\system32\hale.exe

Chew7.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\system32\hale.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2620

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE

C:\Windows\system32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2684

"C:\Windows\System32\taskkill.exe" /f /im cmd.exe

C:\Windows\System32\taskkill.exe

—

Chew7.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

Add for printing

Total events

463

Read events

453

Write events

Delete events

Modification events


(PID) Process:	(3760) Chew7.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3760) Chew7.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2972) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
Operation:	write	Name:
Value:
(PID) Process:	(2580) hale.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2580) hale.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(760) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
Operation:	write	Name:	LastAttempt
Value: install

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\crc32.exe		executable
		MD5:682AC7BB084C88E73D628CDF57DFF336	SHA256:D9C72A8CECCB6D73DAD98EF44495738286286E85102E033FE7F09069BC02FBA2
3760	Chew7.exe	C:\Windows\system32\hale.exe		executable
		MD5:2469DECEC0E28CB3C83E7FC47CB4AD12	SHA256:E4D7BB65281A62E905EB2E7AEF466525A24403079D4579029847D75142B48282
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\bump.exe		executable
		MD5:2D9A30606A718BFDB4E5E9B6C2939881	SHA256:1F57F10A0B2C52BB6F89504E047854502E42EBF9F6153A1A4549A55099F98B51
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\flick.exe		executable
		MD5:2E2827BA66BFE75BC2FE2D0A02EECC73	SHA256:4CFA00888B15201BC0EBC133431D55845C807C5E38E85CF910C481EC9F5A66EB
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\intv.cmd		text
		MD5:3AB983628DA0FD9F8AFD497D07F33D76	SHA256:97754BA105CD61128EBEF8AAB5272F669A72B64F44B6D861C8D507C088410A27
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\ownc.cmd		text
		MD5:F16F9A87E6A9F18921A30AC379B81995	SHA256:9177BAC8288A592264DD90D2C956433A8818F1A34A5D864BD626DF3FDE0E0CFA
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\godo.cmd		text
		MD5:92CE8CBF009CEA52544956D2CC6A810F	SHA256:89F1E56537B38E367A79C33D75D3A2913FF249D7623363DC48F373EB1B8B14AD
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\hash.cmd		text
		MD5:467B51F35949C5A3F722BA736CE920E4	SHA256:6C28FA6BF656B77085B464485FD085D4D6EEB7E3A0FF2DFF690DC813B492580C
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\lhed.cmd		text
		MD5:34670DB25D9AFD4F3912F77F2E5C7D08	SHA256:A4761B5A5F5E6542867BA1CAA87676410B7AEDCCD762826359046167771659FF
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\pendx.cmd		text
		MD5:3AF31A071967EC43A0AC6E3605FF1D8C	SHA256:A0197323DA44005AEC9726CABAEE9F1027FA07EB5367F3FCEAAD05E3728C0324

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Chew7.exe

7B232997942B2A5C7E4DBE931BB4C67C

06C6D3B5B66585F03BAB25C774BAADB575CB1515

0A88FAA27484C7C163BC90FBF806A9DAB84226C2F60F3410695278EE76D065F5

98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the Windows directory

Uses TASKKILL.EXE to kill process

Uses REG.EXE to modify Windows registry

Starts CMD.EXE for commands execution

Application launched itself

Uses TASKLIST.EXE to query information about running processes

Uses ICACLS.EXE to modify access control list

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings